A vulnerability was discovered that can lead to a use after free when using prepared statements. This vulnerability is present in all releases
at least back to versions 3.0 of the driver, which were released in 2005.

A vulnerability was discovered that can lead to a buffer overflow, possibly
triggered by user supplied data. This vulnerability is present in all releases
at least back to versions 3.0 of the driver, which were released in 2005.

Users of DBD::mysql are advised to patch their installations as soon as
possible.

We have already made a pre-announcement for this security release at
the distros security mailing list. People using DBD::mysql installed from their
(linux) distributions can expect to receive an updated version soon.

Many thanks to Pali Rohár for discovering and fixing the vulnerability.

We're pleased to announce the release of DBD::mysql 4.033_01, the Perl DBI driver for MySQL and MariaDB databases. This is not a 'stable' release but merely for testing and feedback. We'll put out a stable 4.034 release soon; probably before christmas.

Linking against SSL by default?

Apart from that, I'd like to announce that we might want to link to
SSL by default. MySQL 5.7 makes SSL connections to databases more
common; right now in DBD::mysql you'd need to pass an option to
Makefile.PL (--ssl) in order to enable linking to libssl. Of course,
many people (and linux distributions!) don't do this by default. On
the expense of the added dependency to libssl we'd want to default to
compiling against libssl. We'd introduce a --nossl flag for the cases
where you'd explicitly NOT want to link to SSL. When DBD::mysql is
compiled against libssl you can still make connections to not-sslified
servers.

Compile against libssl by default. This allows to connect against remote MySQL servers using SSL. Previously this was only achieved with an explicit switch provided to Makefile.PL - if for some reason you can't or don't wantto link against libssl, you can use the new --nossl switch to Makefile.PL.

But now we have perl 5.18 and some of the ideas of smartmatch turned out to be a little too smart, and so we now consider it an experimental feature. So even code like this, when executed on a 5.18 perl, gives warnings:

The famous libnet modules provide Perl programmers with a low level interface to POP3 and SMTP servers, among others.

This works fine in general but over the past years most mail servers stopped offering 'plain' SMTP and POP3 access, but use either SSL or TLS encryption. This has lead to a plethora of modules on CPAN to support SMTP via SSL or TLS and also for POP3 via SSL. Until recently this was not the case for POP3 using TLS security. But earlier this week Steffen Ullrich, the maintainer of IO::Socket::SSL, released a new version of Net::SSLGlue that also allows for connecting to POP3 over TLS. And as opposed to many of the other modules, it also allows to verify the SSL certificate on the remote server for extra security. Net::SSLGlue works for Net::SMTP, Net::POP3, Net::LDAP, and LWP.

Here is an example of how you can connect to a POP3 mail server over TLS: